The ransomware attack against Colonial Pipeline is a stark warning of the cybersecurity threats faced by critical infrastructure
As news of cyberattacks and ransomware continue to clog up the headlines, business leaders are upping their spending on cybersecurity, according to a new report from research firm Gartner.
What the report didn’t mention was the number of high-profile cybersecurity incidents reported over the last few months that had IT and incident response teams scrambling to lock down corporate environments from ransomware groups.
“Organisations continue to grapple with the security and regulatory demands of public cloud and software-as-a-service.”
Looking ahead, we’re seeing early signals of growing automation and further adoption of machine learning technologies in support of AI security. To combat attacks, organisations will extend and standardise threat detection and response activities.
Detect, protect, recover
The ransomware attack against Colonial Pipeline that sent shockwaves throughout the U.S. economy and jacked up fuel prices across the country is a stark warning that ransomware and other cyberattacks continue to pose a significant threat to critical infrastructure.
Cybercriminals were emboldened in 2020 as organisations were dealt an increased attack surface with employees working from anywhere with a larger-than-ever dependency on technology to do their jobs. Ransomware was especially prevalent, with some reports suggesting that ransomware attacks increased by over 700%, according to Bitdefender.
“If the IT teams charged with securing critical infrastructure haven’t already opened their eyes to this alarming trend, then they should now”, says Assembly’s Technical Director, James Reilly.
“Ransomware is an interesting one because it’s not custom-built for certain industry verticals or certain companies, sizes or whatever the case is. There’s universal applicability.”
What happened to Colonial Pipeline and why it matters to you
Colonial Pipeline, the largest pipeline operator in the U.S. and one of the main suppliers of fuel to the East Coast, was hit on May 7 with ransomware from the ransomware-as-a-service group DarkSide, and the company’s systems were taken offline to prevent further intrusion. How the group initially gained access into the company’s network is still being investigated.
The company restored operations on May 13, but that came at a cost.
According to news reports, the company paid upwards of $4 million in ransom to the hacking group.
Just a few days later, DarkSide said its server and cryptocurrency were seized by an unknown country, and the group said it would cease operations.
Other research indicates that DarkSide took in just over $90 million in Bitcoin ransom payments from 47 different wallets over just nine months – not a bad way to make a living.
While the debate about whether organisations should pay a ransom to have their data back safe and sound continues, the decision for Colonial was a hard – but necessary – one to make.
There were significant downstream ramifications of this. The entire U.S. economy could have been thrown into a downward spiral if the leading supplier of fuel to the East Coast couldn’t deliver.
A wake up call for infrastructure IT pros
Attacks against critical infrastructure should be a wake-up call for the entire IT community, especially those tasked with protecting critical infrastructure.
The main thing is just understanding that it could happen to anybody. Such as the hack of a Florida city water treatment plant in which a cyber attacker attempted to increase the level of a chemical that could have been harmful to thousands of residents.
As more IT is introduced to the operational technology (OT) side of the equation, cybersecurity tends to fall by the wayside. Historically, critical infrastructure control systems and OT components have been ‘air gapped’, meaning it is isolated from unsecured networks.
We’re starting to see that go away, as IT injects more and more into the OT side.
Critical infrastructure is now littered with smart technology like sensors that are on the network and report data back to the operators, which is making these organisations vulnerable. And organisations want to be able to remotely manage those systems, which is leading to an increased use in remote management software.
The attacks and attack vectors and what is being used aren’t novel or unique. A lot of the time, it’s just a repeat of the attacks that have been working on the IT side.
We’ve learned all these lessons on the IT side and innovation on just general corporate systems and technology on that side, and we just need to apply a lot of that over into the OT.
At the very least, invest in basic cybersecurity protections
The main reason people are not protecting their data, and by extension their business operations, is because of the misconception that it is already being done for them. Business leaders want to believe their IT people have something in place to ensure information cannot be lost.
As IT continues to merge with OT, organisations need to invest in the same cybersecurity solutions and practices that they implement throughout the corporate network.
While its unknown how DarkSide first infiltrated Colonial’s network, many cybercriminals do so through unpatched systems or phishing attacks. And, they attack the lowest-hanging fruit and seize cybersecurity lapses.
In the case of the Florida water treatment plant hack, the system was running on an unsupported version of Windows, workers shared a password and they used a popular remote access program to control the plant.
This could have been prevented with some basic controls and IT hygiene – making sure you’re patching systems and backing things up and doing all the normal things that you would expect on the IT side of things, but applying it to the OT side as well.
How is your organisation prioritising on security in 2021? Ensure that you’re advocating for spending on the right cybersecurity solutions.